20.10.06

Microsoft afviser dansk påstand om fejl i IE 7

Hvor pinligt. Samme dag som Microsoft lancerer Internet Explorer 7, kan det danske sikkerhedsfirma Secunia afsløre, at browseren rummer en sårbarhed, der kan misbruges af hackere. Secunia fik derfor den sikkert ventede verdensberømmelses overalt i de elektroniske nyhedsmedier. Men er berømmelsen fortjent?

Det mener Microsoft ikke. Ifølge nyhedstjenesten Cnet påpeger Microsoft, at problemet, som Secunia peger på, ikke ligger i IE 7, men i Outlook Express. Microsofts browser kan bruges til at affyre angrebet mod Outlook, men det kan enhver anden browser også! Tjek evt. artiklen her.

Gad vide, hvorledes Secunia vil reagere på dette. Hvis Microsoft taler sandt, ligner det danske firmas ageren noget med at spekulere i verdens opmærksomhed for egen vindings skyld uden at have de faglige kompetencer på plads. Hvor pinligt!

Hvem har ret, Secunia?

Tilføjelse kl. 11.30: Secunia har nu svaret. Tjek under Comments.

1 kommentar:

Dorte Toft sagde ...

De viser sig, at Secunia's folk ikke må blogge, så der kommer intet direkte svar her. Men Secunia har netop sendt mig sit officielle svar i sagen.

SECUNICA SKRIVER:
Microsoft claims the recent IE7 vulnerability is an Outlook Express
vulnerability:
http://blogs.technet.com/msrc/archive/2006/10/19/information-on-reports-of-ie-7-vulnerability.aspx

This may be true - from an organisational point of view within
Microsoft. However, the vulnerability is fully exploitable via IE, which is the primary attack vector, if not the only attack vector.

Just because a vulnerability stems from an underlying component does not relieve IE or any other piece of software from responsibility when it
provides a clear direct vector to the vulnerable component.

For a long time Microsoft has had a policy of tagging various
vulnerabilities where IE was the primary or only attack vector as
operating system vulnerabilities. This does lead to some confusion and
may cause users and system administrators to view the issues as less significant.

Again, while it may be correct from an organisational (and PR?) point of
view within Microsoft, this does not fit into how it is perceived by
users and administrators and how they are going to defend against
exploitation.

In short, Secunia finds it necessary and reasonable to flag Internet
Explorer as being vulnerable if Internet Explorer provides a clear
direct vector to a vulnerable component, which is included by default in a fresh clean install of Microsoft Windows.

Hiding behind an explanation that certain vulnerabilities, which only
are exploitable through Internet Explorer, are to blame on Outlook
Express, Microsoft Windows, or other core Microsoft Windows components
seems more like a way to promote security of IE rather than standing up and explaining the users where the true risk is and taking
responsibility for the vulnerabilities and risks in IE, which are caused by IE being so heavily integrated with the underlying operating system
and other Microsoft components.